Massive Ransomware Attack Targeting SMB 1 Windows Security Hole

Currently, a large-scale ransomware outbreak in effect, using similar techinques as last month's WannaCry security incident.

Update 6/28: Microsoft provided its analysis of the Petya ransomware in this post. The malware executes using PSEXEC, a TelNet replacement tool for executing processes, or it uses the WMIC administrative tool. It steals credentials and moves through a network using the EternalBlue and EternalRomance SMB 1 exploits, which were patched with MS17-010:

Machines that are patched against these exploits (with security update MS17-010) or have disabled SMBv1 are not affected by this particular spreading mechanism. Please refer to our previous blog for details on these exploits and how modern Windows 10 mitigations can help to contain similar threats.

Microsoft's post also explained that the attack "targets ports 139 and 445," and that it's possible to block traffic on those ports to prevent malware propagation. "You can also disable remote WMI and file sharing," Microsoft's post advised.

A report by Reuters described this attack as using ransomware dubbed "Petya" or "GoldenEye," with attacks perhaps starting in the Ukraine and Russia, but also spreading worldwide. The ransomware, which seeks $300 in Bitcoins to unlock the data it encrypts, reportedly affected the Ukrainian government's computer network, banks and a power distributor, according to Reuters.

Windows sensors were shut down at the Chernobyl nuclear power plant in the Ukraine, according to a BBC report. Rosneft, a Russian oil producer, was reportedly affected but not disabled by the ransomware. The malware also hit A.P. Moller-Maersk, a Danish shipping company, as well as British advertising agency WPP, plus U.S. pharmaceutical company Merck and Co., among others, according to the Reuters account.

Analyses by various software security firms are claiming that this ransomware is using "EternalBlue," or the purportedly leaked attack code said to have originated from the U.S. National Security Agency (NSA). Last month's WannaCry ransomware also leveraged EternalBlue, which uses a Windows Server Message Block 1 (SMB 1) flaw to spread on networks. Microsoft had issued "critical" security bulletin MS17-010 back in March to address this flaw.

While the WannaCry ransomware outbreak was thwarted by a "killswitch," there's no such thing this time around to stop the Petya ransomware, according to analysis by Matt Suiche, a Microsoft Most Valuable Professional and founder of Comae Technologies. He affirmed that the Petya ransomware is using the purportedly leaked NSA attack code to target the SMB 1 flaw.

A Microsoft spokesperson recommended the MS17-010 patch, and also advised caution regarding opening attached e-mail files. This time, the ransomware is using "multiple techniques to spread," according to the spokesperson, but Microsoft's antimalware solution will detect it:

Microsoft's antivirus software detects and removes this ransomware. Our initial analysis found that the ransomware may use multiple techniques to spread, including one which was addressed by a security update previously provided for all platforms from Windows XP to Windows 10 (MS17-010). As ransomware also typically spreads via email, customers should exercise caution when opening unknown files. We are continuing to investigate and will take appropriate action to protect customers.

An alert from US-CERT also described a worldwide outbreak of the Petya ransomware, pointing to the MS17-010 patch for the SMB 1 flaw as something for administrators to review.

The SANS Institute referred to the ransomware as a "Petya variant" in an InfoSec Forum post. The malware seems to be tapping the EternalBlue exploit, according to the post, but it added that other researchers say it is propagating using the Windows Management Instrumentation Command-line (WMIC) tool.

Software security firm Ivanti described the new ransomware outbreak as "Petwrap." It's "based on an older Petya variant" that originated from GoldenEye malware back in December, according to an Ivanti blog post.

"The Petya component includes many features that enable the malware to remain viable on infected systems, including attacking the Master Boot Record," Ivanti explained. "The EternalBlue component enables it to proliferate through an organization that doesn't have the correct patches or antivirus/antimalware software."

Cisco Systems described the ransomware as "Nyetya," a distinct form of the Petya malware, in a blog post. It uses the EternalBlue exploit, but exactly how it spreads hasn't been confirmed. For instance, Cisco pointed to an update to a Ukrainian tax accounting package, MeDoc, as a possible vector. The malware uses Windows Management Instrumentation (WMI) as part of the attack process, according to Cisco.